IETF Logo Mail Archive

Re: [ietf-smtp] How to encrypt SMTP?

Keith Moore <moore@network-heretics.com> Sat, 26 October 2019 22:29 UTC

Return-Path: <moore@network-heretics.com>
X-Original-To: ietf-smtp@ietfa.amsl.com
Delivered-To: ietf-smtp@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 32531120048 for <ietf-smtp@ietfa.amsl.com>; Sat, 26 Oct 2019 15:29:03 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_LOW=-0.7, SPF_NONE=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=messagingengine.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id SlM-cNmdapIN for <ietf-smtp@ietfa.amsl.com>; Sat, 26 Oct 2019 15:29:02 -0700 (PDT)
Received: from out3-smtp.messagingengine.com (out3-smtp.messagingengine.com [66.111.4.27]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E7CB2120047 for <ietf-smtp@ietf.org>; Sat, 26 Oct 2019 15:29:01 -0700 (PDT)
Received: from compute6.internal (compute6.nyi.internal [10.202.2.46]) by mailout.nyi.internal (Postfix) with ESMTP id 3513F22269; Sat, 26 Oct 2019 18:29:01 -0400 (EDT)
Received: from mailfrontend2 ([10.202.2.163]) by compute6.internal (MEProxy); Sat, 26 Oct 2019 18:29:01 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=content-transfer-encoding:content-type :date:from:in-reply-to:message-id:mime-version:references :subject:to:x-me-proxy:x-me-proxy:x-me-sender:x-me-sender :x-sasl-enc; s=fm1; bh=fLubsK5ZarSE4v8bfgLAPP56XEk/fOkC8xyY+feN8 xQ=; b=U0EINnW1lHdS+SafbfDtADDJiM2yCH5N6CTEyayIUVHwuKeIR/bS/Asgp J6h/5aXOwqTnuNXYwKj3bpOGpMXkKqYAX0QBl8FMHt4kovH06vE3yctVA8VfJOjm HU2sQOgzzOmFZHSkzkGXAyoPJRJXF93E341GLOBdQ9Bf5aLc16mglJbKaDvPR8Zu Ad5DGLHofgDfoqgDDKCj7JMs0DrkYmx69nBkQmkXAKEaZalaKzoRyADVQdeSzTld jX+5SAU6kQUXgDSeotJV2RAG1p3MXVMnfjvlJscKdr95/Gaj23WMelE/nbxaidb7 86VOJjDBYawMBlloiUByOzArqNzzQ==
X-ME-Sender: <xms:rMi0XWiaaai2Wufu-SSSulV6kouhmBQc4DUXX9PZny-LVpvtoqf-tA>
X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgedufedrleeigdduudcutefuodetggdotefrodftvf curfhrohhfihhlvgemucfhrghsthforghilhdpqfgfvfdpuffrtefokffrpgfnqfghnecu uegrihhlohhuthemuceftddtnecunecujfgurheptgfghfgguffffhgjvffkofesthhqmh dthhdtvdenucfhrhhomhepmfgvihhthhcuofhoohhrvgcuoehmohhorhgvsehnvghtfiho rhhkqdhhvghrvghtihgtshdrtghomheqnecukfhppeelledrvddtfedrfedvrdeileenuc frrghrrghmpehmrghilhhfrhhomhepmhhoohhrvgesnhgvthifohhrkhdqhhgvrhgvthhi tghsrdgtohhmnecuvehluhhsthgvrhfuihiivgeptd
X-ME-Proxy: <xmx:rMi0XU40ZZbnvJLquiWmKPbFpW9Z_3_skCbb82uHOqSPjvYQCJUupw> <xmx:rMi0XXLN0n2AJWjsxBKkwJtnNaPnFnm12FH5vUIPdOXNyAQwM9gfBA> <xmx:rMi0XQhDgNOIPDwXc7gAhjHBoNZqckwyWNppKaitMb-sTc6txJJ6Fw> <xmx:rci0XcYjoyTfrOYN6zofWn_6fnJUPj8HoZ7CLxoo-yASD-Pv1Mu1uA>
Received: from [30.66.21.72] (ip-99-203-32-69.pools.spcsdns.net [99.203.32.69]) by mail.messagingengine.com (Postfix) with ESMTPA id 3D624D6005B; Sat, 26 Oct 2019 18:29:00 -0400 (EDT)
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
From: Keith Moore <moore@network-heretics.com>
Mime-Version: 1.0 (1.0)
Date: Sat, 26 Oct 2019 18:28:58 -0400
References: <DA6C74A3-0D48-4D73-AE06-20378A5CFE54@dukhovni.org>
In-Reply-To: <DA6C74A3-0D48-4D73-AE06-20378A5CFE54@dukhovni.org>
To: ietf-smtp@ietf.org
Message-Id: <037312D9-E9DD-464C-89D3-036786456119@network-heretics.com>
X-Mailer: iPhone Mail (17A860)
Archived-At: <https://mailarchive.ietf.org/arch/msg/ietf-smtp/KUmqXVkfxntbMOk4-aBgDcnMZpc>
Subject: Re: [ietf-smtp] How to encrypt SMTP?
X-BeenThere: ietf-smtp@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Discussion of issues related to Simple Mail Transfer Protocol \(SMTP\) \[RFC 821, RFC 2821, RFC 5321\]" <ietf-smtp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ietf-smtp>, <mailto:ietf-smtp-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ietf-smtp/>
List-Post: <mailto:ietf-smtp@ietf.org>
List-Help: <mailto:ietf-smtp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ietf-smtp>, <mailto:ietf-smtp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 26 Oct 2019 22:29:03 -0000

> On Oct 26, 2019, at 5:05 PM, Viktor Dukhovni <ietf-dane@dukhovni.org> wrote:
> 
> For mostly opportunistic TLS,
> there's not much incentive to jump through complex TLS hoops.

Yes but IMO we should be moving toward a world in which TLS is mandatory for SMTP relay.    Clear guidance to implementors and operators on what TLS versions, cert algorithms, and ciphersuites a client and server should support, might help us get there.

(perhaps as a stepping stone, cleartext mail relay could be pessimized by having servers randomly return 4xx in response to MAIL sent without TLS, obsolete TLS, or weak ciphersuites, with the probability of such responses increasing over time.)

Keith

v2.23.0 | Report a Bug | By Email